Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 170361 Details for
Bug 243058
<www-client/lynx-2.8.6-r4 lynxcgi url handler issue (CVE-2008-4690)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
lynx-2.8.6-CVE-2008-4690.patch
lynx-2.8.6-CVE-2008-4690.patch (text/plain), 1.56 KB, created by
Robert Buchholz (RETIRED)
on 2008-10-30 22:53:56 UTC
(
hide
)
Description:
lynx-2.8.6-CVE-2008-4690.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-10-30 22:53:56 UTC
Size:
1.56 KB
patch
obsolete
>Index: lynx2-8-6/CHANGES >=================================================================== >--- lynx2-8-6.orig/CHANGES >+++ lynx2-8-6/CHANGES >@@ -1,6 +1,13 @@ > Changes since Lynx 2.8 release > =============================================================================== > >+2008-10-26 >+* modify patch for CVE-2005-2929 to prompt user before executing command via >+ a lynxcgi link even in advanced mode, as the actual URL may not be shown but >+ hidden behind an HTTP redirect >+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default >+ [CVE-2008-4690] >+ > 2006-11-15 (2.8.6rel.4 diverges from 2.8.7dev.4) > * limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found > relative to the user's home directory. This change is less flexible than the >Index: lynx2-8-6/lynx.cfg >=================================================================== >--- lynx2-8-6.orig/lynx.cfg >+++ lynx2-8-6/lynx.cfg >@@ -1026,7 +1026,7 @@ DEFAULT_INDEX_FILE:http://lynx.isc.org/ > # ==== > # Do not define this. > # >-#TRUSTED_LYNXCGI:none >+TRUSTED_LYNXCGI:none > > > .h2 LYNXCGI_ENVIRONMENT >Index: lynx2-8-6/src/LYCgi.c >=================================================================== >--- lynx2-8-6.orig/src/LYCgi.c >+++ lynx2-8-6/src/LYCgi.c >@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin > if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) { > /* exec_ok gives out msg. */ > result = FALSE; >- } else if (user_mode < ADVANCED_MODE) { >+ } else { > StrAllocCopy(command, linktext); > if (non_empty(linkargs)) { > HTSprintf(&command, " %s", linkargs);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=170361">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 243058
: 170361
